A CLI for Developer Control Plane. Accelerate your cloud IaC deployments.
Project description
ThothCTL
AI-Powered Infrastructure Lifecycle CLI for DevSecOps, Platform Engineering, and IaC governance.
ThothCTL accelerates the adoption of Internal Developer Platforms by combining security scanning, inventory management, cost analysis, AI-driven code review, and organizational policy enforcement into a single CLI.
Quick Start
pip install --upgrade thothctl
# Scan for security issues
thothctl scan iac -t checkov -t trivy -t opa
# Create infrastructure inventory (SBOM)
thothctl inventory iac --check-versions
# Launch web dashboard
thothctl dashboard launch
# AI-powered security review
thothctl ai-review analyze -d ./terraform -p ollama
Key Features
🔒 Security Scanning
Multi-tool scanning with unified HTML reports and enforcement:
# All scanners with hard enforcement (fails pipeline on violations)
thothctl scan iac -t checkov -t trivy -t kics -t opa -t terraform-compliance --enforcement hard
- 5 integrated tools: Checkov, Trivy, KICS, OPA/Conftest, Terraform-compliance
- Unified HTML reports with severity badges, per-stack breakdown
- Non-compliance findings table on enforcement failure
- SARIF output for GitHub Code Scanning integration
- Organization policy repos via
THOTH_ORG_POLICYenv var (HCL + CloudFormation) - Scan trend tracking with local SQLite history
📦 Infrastructure Inventory (SBOM)
CycloneDX 1.6 compliant Software Bill of Materials:
thothctl inventory iac --check-versions
- Module & provider version tracking with staleness detection
- CycloneDX 1.6 SBOM with formulation, evidence, standards, attestations, dependency graph, hashes, and licenses
- Technical debt scoring with risk levels and recommendations
- Schema compatibility analysis for safe upgrades
- Professional HTML reports with collapsible stack groups
📊 Web Dashboard
Modern FastAPI-based dashboard with dark mode:
thothctl dashboard launch
- Security findings viewer — filter by tool/severity/search, pagination, inline report iframe
- SBOM details browser — CycloneDX metadata, dependency graph, formulation, attestations
- Inventory explorer — collapsible stacks, module/provider tabs, version comparison
- Cost analysis — service breakdown, monthly/annual projections
- Drift detection — severity-classified drifted resources
- AI usage tracking — token counts, costs per request
🤖 AI Agent for IaC Security
Multi-agent system for automated code review and PR decisions:
thothctl ai-review analyze -d ./terraform -p ollama
thothctl ai-review decide -d ./terraform --pr-number 42 --dry-run
- 4 specialized agents: Security, Architecture, Fix, Decision
- Multi-provider: OpenAI, AWS Bedrock, Azure OpenAI, Ollama (local)
- Auto-decisions with confidence thresholds and safety controls
- Adaptive memory: filesystem or S3 (auto-detects runtime)
- MCP integration for AI assistant interoperability
💰 Cost Analysis & Risk Assessment
thothctl check iac -type cost-analysis --recursive
thothctl check iac -type blast-radius --recursive
thothctl check iac -type drift --recursive
- 14 AWS services supported (EC2, RDS, S3, Lambda, EKS, etc.)
- Blast radius with ITIL v4 risk classification
- Drift detection with severity scoring and IaC coverage tracking
🔄 Template Engine & Project Management
thothctl project convert --make-template --template-project-type terraform
thothctl init project --name my-infra --template terraform-aws
- Bidirectional conversion between projects and reusable templates
- Backstage integration for self-service consumption
- Template upgrade workflow to keep projects in sync
All Commands
| Command | Description |
|---|---|
scan iac |
Multi-tool security scanning with enforcement |
inventory iac |
Infrastructure SBOM with version tracking |
check iac |
Cost analysis, blast radius, drift detection, structure validation |
ai-review |
AI-powered security analysis and PR decisions |
dashboard launch |
Web dashboard for all reports |
document iac |
Auto-generate documentation |
project convert |
Template ↔ project conversion |
init project |
Scaffold new IaC projects |
mcp |
Model Context Protocol server |
generate |
Generate IaC from rules and components |
Installation
pip install --upgrade thothctl
Requirements: Python 3.10+ | Linux, macOS, or Windows (WSL)
Optional system packages:
# Linux/Debian
sudo apt install graphviz libgraph-easy-perl -y
# macOS
brew install graphviz graph-easy
Dev Container
A ready-to-use Dev Container is available with all tools pre-configured:
# Open in VS Code → "Reopen in Container"
# Or use the devcontainer CLI:
devcontainer up --workspace-folder .
Documentation
📖 Full docs: thothforge.github.io/thothctl
- Quick Start
- DevSecOps SDLC Guide
- Scan Command Reference
- Inventory & SBOM
- Dashboard
- AI Review
- Template Engine
- Dev Container Setup
CI/CD Integration
# GitHub Actions
- name: Security scan
run: thothctl scan iac -t checkov -t trivy -t opa --enforcement hard --post-to-pr
- name: Inventory check
run: thothctl inventory iac --check-versions --report-type json
Roadmap
- Multi-tool security scanning with unified reports
- AI Agent for IaC Security (multi-agent, auto-decisions)
- CycloneDX 1.6 SBOM with full supply chain metadata
- Organization policy engine (OPA/Rego, HCL + CloudFormation)
- Web Dashboard with findings viewer and SBOM browser
- Intent-to-IaC generation (natural language → governed Terraform)
- Composable workflow engine (declarative YAML DAG pipelines)
- Graph-aware state visibility (tfstate → queryable resource graph)
- Architecture diagram generation (Mermaid/Graphviz from IaC)
- Strands Agents SDK integration
Contributing
Contributions welcome! See CONTRIBUTING.md for guidelines.
License
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file thothctl-0.20.0.tar.gz.
File metadata
- Download URL: thothctl-0.20.0.tar.gz
- Upload date:
- Size: 1.7 MB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
a2eeb44a8a076e0720bff70870ff96a5a689f4a94bd515de1fa371a0b8498252
|
|
| MD5 |
e2793d17e3910877dc3414cf7e161975
|
|
| BLAKE2b-256 |
df194e7f77eee076261f5fa1de4c2290e5d9c82dedd7253e2a0f5ce0d437b83c
|
Provenance
The following attestation bundles were made for thothctl-0.20.0.tar.gz:
Publisher:
python-publish.yml on thothforge/thothctl
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
thothctl-0.20.0.tar.gz -
Subject digest:
a2eeb44a8a076e0720bff70870ff96a5a689f4a94bd515de1fa371a0b8498252 - Sigstore transparency entry: 2083761240
- Sigstore integration time:
-
Permalink:
thothforge/thothctl@521001a18526ebb2c26c602a882d0651c4696428 -
Branch / Tag:
refs/tags/v0.20.0 - Owner: https://github.com/thothforge
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
python-publish.yml@521001a18526ebb2c26c602a882d0651c4696428 -
Trigger Event:
push
-
Statement type:
File details
Details for the file thothctl-0.20.0-py3-none-any.whl.
File metadata
- Download URL: thothctl-0.20.0-py3-none-any.whl
- Upload date:
- Size: 647.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f24c3143f198020cfe49aa4de3a36f38bb0a4a13ef090a343462cb61d70cee22
|
|
| MD5 |
fa91eee1e0a09d0f0d444c8e5713f3f5
|
|
| BLAKE2b-256 |
78df2a6d55741b6aad82fe602e592a4259b195f68930bedfcd31c738f8d500bd
|
Provenance
The following attestation bundles were made for thothctl-0.20.0-py3-none-any.whl:
Publisher:
python-publish.yml on thothforge/thothctl
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
thothctl-0.20.0-py3-none-any.whl -
Subject digest:
f24c3143f198020cfe49aa4de3a36f38bb0a4a13ef090a343462cb61d70cee22 - Sigstore transparency entry: 2083761275
- Sigstore integration time:
-
Permalink:
thothforge/thothctl@521001a18526ebb2c26c602a882d0651c4696428 -
Branch / Tag:
refs/tags/v0.20.0 - Owner: https://github.com/thothforge
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
python-publish.yml@521001a18526ebb2c26c602a882d0651c4696428 -
Trigger Event:
push
-
Statement type: